Aadhaar breach is yet again back in the news, this time it is said to be compromised by a software patch that disables critical security features of the software used to enroll new Aadhaar users thus allowing hackers to generate unauthorized Aadhaar numbers.
Furthermore, the patch is said to be freely available for as low as Rs. 2,500 allowing unauthorized persons anywhere in the world to generate Aadhaar number at their will. The patch is a bundle of code that is used to alter the functionality of a software programme. It lets users bypass critical security features such as biometric authentication of enrolment operators to generate unauthorized Aadhaar numbers, disables the enrolment software’s inbuilt GPS security feature, and reduces the sensitivity of the enrolment software’s iris-recognition system.
…so that their enrolment/updation is done only on authorized machines and their efforts do not get wasted because of rejection of their enrolments or updates . (The list of authorized Aadhaar Kendra is available on UIDAI website https://t.co/Sy2gBGp78t).
— Aadhaar (@UIDAI) 11 September 2018
This vulnerability is said to be linked to the technology choice made at the inception of the Aadhaar programme, meaning fixing this and other vulnerabilities would require altering Aadhaar’s fundamental structure. Gustaf Björksten, Chief Technologist at Access Now, a global technology policy and advocacy group said: “Whoever created the patch was highly motivated to compromise Aadhaar.”
The primary cause for the hack lies in the decision made in 2010 to let private agencies enroll users to the Aadhaar system in order to speed up enrolments. Mindtree, a Bengaluru-based company, won a contract to develop an official, standardized enrolment software — called the Enrolment Client Multi-Platform (ECMP).
The report comes at a time when UIDAI mandates new facial recognition for all Aadhaar authentications. HuffPost who broke the news claims to have gained access to the patch and said to have verified by multiple experts. It also disables the enrolment software’s pre-installed GPS security feature that is used to help UIDAI identify the physical location of enrolment centers. The removal of the GPS requirement would allow patch users to generate numbers from anywhere in the world.
The new software patch doesn’t give read access to the Aadhaar database instead enables the addition of new information to the Aadhaar system. HuffPost India claims that it provided a copy of the patch to National Critical Information Infrastructure Protection Centre (NCIIPC) earlier this year, but the government entity declined to comment on the findings.
The claims lack substance and are baseless. UIDAI further said that certain vested interests are deliberately trying to create confusion in the minds of people which is completely unwarranted. 2/n
— Aadhaar (@UIDAI) September 11, 2018
UIDAI responding to the findings said that:
Unique Identification Authority of India (UIDAI) hereby dismisses a news report appearing in social and online media about Aadhaar Enrolment Software being allegedly hacked as completely incorrect and irresponsible. The claims lack substance and are baseless. UIDAI further said that certain vested interests are deliberately trying to create confusion in the minds of people which is completely unwarranted.